Wired Trolls 5G Security

I’d like to go through a whole week without a major piece of misinformed drama showing up in my technology news feed; this is not going to be that week. Wired has pumped up a story about some security research on 5G (and other…) mobile networks.

The story’s headline styling is sure to grab attention: “As 5G Rolls Out, Troubling New Security Flaws Emerge: Researchers have identified 11 new vulnerabilities in 5G—with time running out to fix them.” Geez Louise, the main problems are “troubling”, “new”, and “time is running out.”

For the most part, researchers have discovered some scenarios where a 5G network connection can be downgraded to a 4G connection. When this happens, 5G is no better than 4G at protecting identity and location privacy. That is not a “troubling new flaw” in any meaningful sense.

Time is Not Running Out!

5G networks are at a very preliminary stage, with very little deployment outside of controlled testbeds. Not only is there time to fix the downgrade scenario, the clock hasn’t even started in any meaningful sense.

Current 5G standards and practices are not the end of the road, and both will be improved over time. This is not some new dynamic, it’s the way technology works.

We all know this, right? There were bugs in Apple’s mobile operating system iOS 13.0, most of which were corrected in 13.1. There were bugs in 13.1 that were corrected in 13.2, and now we’re on 13.2.2 with some old battery draining bugs reintroduced. But the next release will probably fix them.

This is the world we live in.

Automated Bug Detection

The security researchers that have found vulnerabilities in 5G presented their work at a security conference in London this week, 2019 ACM SIGSAC Conference on Computer and Communications Security (CCS ’19). They’ve also published a paper, 5GReasoner: A Property-Directed Security and Privacy Analysis Framework for 5G Cellular Network Protocol.

The paper reveals that none of the potential flaws found by the researchers have been confirmed to exist in commercial products. Researchers built simulations of 5G Radio Access Network switch devices (gNB) based on published specifications for 5G and probed them with a large number of attack messages following various strategies.

Automated bug detection where a virtual attacker goes after a virtual gNB will only tell us so much. While all of the potential flaws they found may be legitimate, they could also reflect incomplete knowledge of the behavior of 5G equipment in the field.

Not all Security Research is Important

This isn’t uncommon for network protocols: the official standards for Wi-Fi are ambiguous on several points as well, but these issues are cleared up when the Wi-Fi Alliance builds its certification testbeds. We can expect 5G vendors to interpret the standard and do their own testing, at least as exhaustively as the testing done by the academics.

While all information about potential flaws is useful, it’s not reasonable to take it as an indictment of the 5G standard, let alone to assume that all 5G equipment is dangerous as Wired does. It’s also ridiculous to claim that some sort of important deadline is close at hand.

The potential flaws found by the researchers will need to be verified on real equipment. To the extent that they’re legitimate, they’ll be corrected. That may happen this year, and it may happen next year; in any case, it will probably be complete before the ordinary mobile network user has a 5G phone.

Desperately Seeking Eyeballs

The technology press has consistently let us all down ever since the Dot Com Bubble when it was a cheerleader for all things fiber and online pet food companies. It has been especially bad on mobile technology, declaring the spectrum crunch a myth, claiming 5G is over-hyped, shrieking about 5G health risks, and now telling us 5G is nothing but bugs and Chinese surveillance.

Today’s Internet-based tech press is more concerned with monetizing its websites than with imparting good information. Perhaps this is simply the way media is nowadays, but the tendency to exaggerate seems to be amplified when the Internet press addresses the Internet itself.

Perhaps this is a consequence of the way the Internet has been overhyped as long as the public has been aware of it. Having raised expectations so high, a simple letdown is less satisfying than a brutal attack on our Internet dreams.

Well, don’t give up quite yet: the best is always yet to come. 5G is gonna be great, one way or another.